Encrypted veeam configuration backup

Protecting Your Veeam Backup Server

Backing up the backups

Should you backup your backup server – hell yeah. If you suffer a site failure and want to start bringing things back the first thing you are going to need is restore your backup server. Veeam Backup and Replication provides this facility through Configuration Backups. Configuration backups dump out the information stored in the DB associated with Veeam to a flat file with a .bco extension

Default Veeam configuration backup settings

The good news is the that these config backups are enabled daily by default.  They will however run to the default backup repository which is held locally on the Veeam backup server. Obviously a key part of your recovery strategy will be ensuring you can cope with the loss of your backup server.

To view your current config backup setup, pull down the main menu and select configuration backup

Selecting configuration backup from Veeam main menu

In the below screenshot we can see an example config backup setup.  The choice of settings is simple frequency, number of restore points and backup repository.

Veeam configuration backup window

You can choose any backup repository as a target. So choosing a remote backup repository will ensure the config file is off sited. Your other option is to use a File Copy Job to ensure that you get two copies of the config and send one of these offsite. Just remember to keep a note of where your config backup is held in your DR plans.

If you have encrypted jobs or tapes in Veeam you will need to enable encrypt configuration backup. If you do not do this configuration backups will not run since otherwise the encryption keys in the config DB could be visible. The added benefit of encrypting config backups is that they will then include the details stored in the credentials manager.  This means that when you restore your backup server you will not need to re-enter credential information.

Encrypted veeam configuration backup


Other availability options

The backup server its self can be backed up as you would with any other VM.  The VM backup of the Veeam backup server can then be backed up to a an offsite repository, or offsited with a copy job.

Another option which would deliver the quickest recovery is that the backup server its self can also be in a Replication Job.

Final Thoughts

  • Start be thinking about what you are trying to achieve, what is the RPO and RTO for your backup server and remember to relate this to your main recovery objectives.  You will not be able to recover any servers until you bring back your backup server
  • Once you have considered what you are trying to achieve think which protection method you need to use from configuration backups, backup copies and replication jobs. Also consider that the protection methods are not mutually exclusive, you can use a combination of them.
  • Finally no matter which method you choose ensure that you document and test the recovery process

Veeam Performance Optimisations

I visited the VeeamON forum a couple of weeks ago and wrote a post on Veeam Version 10 what’s new. One of the other interesting sessions at the event was a presentation on best practices to ensure Veeam Performance Optimisation. I made some notes during the session that I wanted to share to help you get the best performance from Veeam.

Choose the correct backup mode

Forward incremental was recommended as the best general backup mode. In this mode an initial full is created with the first backup, then incrementals for all future backups after this time.

Reverse incremental were recommended for long backup chains, but since the most recent backup point is always a full created by injecting the changed blocks this is an I/O intensive process and slower versus forward incremental.

I have found that jobs which suffer from slow merge times can be improved by scheduling an Active Full. Whilst clearly the Active Full will take some time the incremental backups will no longer require a merge and be much quicker.

Transport Mode

Within the proxy server settings you have a choice of several different transport modes which determine how the data is copied. They are listed below in order of speed from fastest to slowest.

Direct storage access – This mode requires a physical or virtual proxy server, which has direct access to the production data via software or hardware HBA. Although a VM can be used, using a physical server is highly recommended. This is the fastest option allowing all backup data to be transported directly across the SAN

Virtual appliance – This method requires a VM running the proxy role. The VM proxy hot adds the disks that need backing up enabling data to go directly from the datastore eliminating the network

Network – This is the least restrictive method and requires no additional setup or infrastructure. Like in a traditional backup data is copied across the LAN. Although this has generally been considered the slowest, 10Gb is changing this

Transport mode selection screen from Veeam


Consider the performance characteristics of the storage you are using for your repository. RAID choices were mentioned, if you are using a modern storage system things are not going to be so simplistic as changing RAID types to improve performance. My take home from this point was just make sure your particular storage is optimally configured.

Also be sure to check out this Webinar I did with Veeam covering optimising 3PAR performance.

Proxy Affinity

Allows you to assign backup proxies to specific repositories. This could be useful to ensure the proxy in the correct geographic location is used or to ensure proxies with the best connection speed to a repository are utilised. This is set by right clicking a backup repository and choosing proxy affinity.

Setting the proxy affinity at the repository level

Per VM backup files

Prior to Veeam version 9 a single backup file was created for all the VM’s in a job when creating a recovery point. Per VM backups chains, means that each VM in a job creates its own backup chain. The positive impact of this is that more writes can be processed in parallel allowing for greater throughput. This feature is enabled at the repository level within the advanced repository settings.

Changing a Veeam backup chain to use per-vm backup files

Parallel Processing

Enables multiple backup tasks to be completed simultaneously rather than waiting for serial processing, again this allows greater throughput. This is enabled by default and set in general options

Options screen to enable parallell processing and storage latency control

Backup I/O control

This may seem counterintuitive to limit the storage repository but once any storage device becomes over busy and writes start to queue performance can degrade exponentially. By limiting the throughput in cases where high latency has been seen, it may in fact allow writes to be committed in a more timely fashion. This is set in general options and can be seen in the screenshot above in which you set a latency threshold in ms above which the setting kicks in.

Hyper-V RCT (Resilient Change Tracking)

Veeam is able to use Hyper-V native CBT Resilient Changed Tracking if the following criteria are met:

  • All hosts are Hyper-V Server 2016 in cluster
  • Cluster functional level is 2016
  • VM config is version 8


Which stands for Resilient File System is the name for the new Windows file system introduced with Windows Server 2016. When integrated with Veeam it offers the opportunity to significantly reduce the time backups take. Synthetic full backups and the Veeam transform process require a significant amount of moving blocks around to create the backup file. This is an I/O intensive process and takes time to complete, relative to the performance of the underlying storage. When using ReFS the physical movement of blocks is no longer necessary, by harnessing the MS fast cloning capability pointers are simply updated.

If you want to learn more about Veeam be sure e sure to check out The VeeamON Virtual Tour. This is a free online event in which you can learn the latest information about data protection and specifically Veeam.


Veeamon forum london logo

Free UK based Veeam availability event

Veeamon forum london logo

Time goes fast. It doesn’t seem like a year ago since I was at VeeamON Forum London. It was a great event, I got to talk with lots of like-minded people and learn about the latest and greatest in data protection.

Well it’s come around again and in two weeks VeeamON London kicks off on the 12th of October. This is a free one-day event where you can learn about the latest news and best practices from Veeam and their partners.

It is a full days’ worth of information split across two tracks technical deep dive and industry trends Breakout. From the sessions list of particular interest to me is what’s new in version 10, performance optimisations and the cloud related data protection sessions.

I’m going and I hope to see some of you there. If you are going give me a shout in the comments or via LinkedIN / Twitter.

If you’re not already registered you can do so here.